Google has released a new version of its Chrome browser, fixing just a small handful of vulnerabilities in the process. All three of the bugs fixed in Chrome were rated high.
The release by Google is a pretty small one by the company’s standards. Often, new versions of Chrome will include fixes for 12 or 15 or more vulnerabilities, many of them rated critical. However, version 16.0.912.75 includes just three patches. As part of its reward program, Google paid out just $2,000 in bug bounties to two researchers who reported bugs fixed in this release. The third vulnerability was found by someone on the Google Chrome Security Team.
Interestingly, one of the vulnerabilities was discovered and reported by someone from Mozilla.
The fixes in Chrome include:
- [$1000] [106672] High CVE-2011-3921: Use-after-free in animation frames. Credit to Boris Zbarsky of Mozilla.
- [$1000] [107128] High CVE-2011-3919: Heap-buffer-overflow in libxml. Credit to Jüri Aedla.
- [108006] High CVE-2011-3922: Stack-buffer-overflow in glyph handling. Credit to Google Chrome Security Team (Cris Neckar).
Google also has released a beta version of Chrome 17, the next major version of the browser. The company doesn’t do big, rolled-up releases the way that Mozilla and Microsoft do, but Chrome 17 will include some new security features and other improvements. The main security upgrade is a change to the way that the Safe Browsing system in Chrome works. The current version of Safe Browsing is designed to protect users against drive-by downloads and malicious links on sites. The new one in Chrome 17 also will run a check on executables and other files downloaded from the Web.
“To help protect you against malicious downloads, Chrome now includes expanded functionality to analyze executable files (such as ‘.exe’ and ‘.msi’ files) that you download. If a file you download is known to be bad, or is hosted on a website that hosts a relatively high percentage of malicious downloads, Chrome will warn you that the file appears to be malicious and that you should discard it. We’re starting small with this initial Beta release, but we’ll be ramping up coverage for more and more malicious files in the coming months,” Dominic Hamon of Google wrote in a blog post.